
Summary
This rule detects inbound communications containing a PDF attachment whose embedded object hash matches a known malicious sample. It targets PDFs with file_type "pdf" and traverses embedded objects (file.explode) to inspect the scan.pdf_obj_hash.object_hash value. A match against the specific hash cc08b7eae4b6f5f4e897dd0998b90e21 triggers a high-severity alert. The rule is designed to identify BEC/fraud campaigns that use invoices paired with a W-9 request as lures, leveraging a known PDF object hash to evasion-filtering. Detection methods rely on file analysis and threat intelligence, focusing on inbound content with this hashed indicator. The approach is precise to a known sample and may miss variants lacking the exact hash, so ongoing hash updates and correlation with invoice-like patterns are recommended for broader coverage.
Categories
- Endpoint
- Network
Data Sources
- File
Created: 2026-07-03